Context-Inappropriate Capability
Medium
- Confidence
- 91% confidence
- Finding
- The skill explicitly supports impersonation via a temporary header, allowing operations to be performed as another user if the backing token has sufficient privileges. Even if intended for legitimate administration, this materially expands the blast radius of the skill and can enable unauthorized access, audit confusion, or abuse if a user or agent invokes it without strict authorization controls.
